Package access may depend on facets. To grant package access, you're effectively saying that you want some objects to have greater authority over a given object than others hold. Sounds like facets to me. So, given facets... A has a reference to B. Both are purportedly in the same package, but of different classes. A wishes to invoke a package scoped method on B, but only has a normal authority reference. A must somehow convert the normal facet of B into a package facet of B. Or, A must arrange for a third party to deliver the message, even though the direct reference cannot be used for the delivery. How about a confined package key that is passed as the first argument of any package message. If the key doesn't match, the method rejects the message. The loader hands out package keys based on cryptohashes. Problem: I masquerade as an object of type Q that you will send a package message to. You hand me the key when you send that message to me. Solution: a PackageKeyWrapper. To send a package message, I allocate a new PackageKeyWrapper wrapping the package key. PackageKeyWrapper is a trusted system class. I pass the wrapper to the receiver. The receiver checks to make sure the first argument is a genuine PackageKeyWrapper (i.e. trustable), and then asks the PKW to compare the wrapped key with the receiver's own package key. Actually, there's no need for loader support: A static method on a package object's class can forward a token object to an interface on an object within the package when asked to. The object then makes its own anonymous PackageKeyWrapper around the token object. What you want to be able to do is promote a normal facet into a more powerful package facet. packageFacet = packagePromoter.promote(normalFacet); The packagePromoter facet of the package object is only handed out to package members via a callback with class ownership comparison. When a class that is a member of a package is loaded, it acquires the package promotion object, and arranges for all instances of the class to have a reference to said promotion object. The acquisition callback can be synchronous allowing the immediate instantiation of objects of the class. All of the promotable facets of an object implement the Promoter interface: packageFacet = normalFacet.promote(packageKey); The packagePromoter only calls this on objects in the package. How can this be done efficiently without getClass()? alledgedClass = normalFacet.getAlledgedClass() ; if (packageClasses.contains(alledgedClass) && alledgedClass.isTypeOf(normalFacet)) { // } normalFacet's promote (which will probably delegate to the central object behind all of the facets) just looks up the facet to return in a hashtable using the packageKey. A question still remains: how to keep someone from changing the behavior of one of the classes in a package. That operation must require the package as a whole to be resealed. The package object contains references to all of the classes that are its members. Each member has a packageKey for each package it is a member of. The classes in the package must be compiled first, and each contains the name (but not cryptohash) of the packages it is a member of. The package object is created next, and it knows the cryptohashes of the classes it contains. When a member class of the package is loaded, it contains a reference to the package name, which causes the loader to load the package object. The package name must somehow contain enough information (without having a cryptohash) to make spoofing impossible. Public key crypto is a possibility here. The package name contains the public key for the package. The package object contains a signature over the cryptohashes of the classes that are members of the package. Only the holder of the private key for the package can add new members to the package. In the member class: Package.sendPackageKey(packageNameAndPublicKey, this); results, after authentication of membership, in: installPackageKey(packageNameAndPublicKey, packageKey); Better idea: You specify a package object, and the class within that package that you want to reference. The loader maintains a separate namespace for each package. The same class as loaded within seperate packages results in different class references.